[squid-users] Re: Re: Re: Squid + Kerberos + Active Directory

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 7 Jun 2009 18:09:15 +0100

>
>----- Original Message -----
>From: "Truth Seeker" <truth_seeker_3535_at_yahoo.com>
>To: "Markus Moeller" <huaraz_at_moeller.plus.com>
>Cc: "Squid maillist" <squid-users_at_squid-cache.org>
>Sent: Sunday, June 07, 2009 10:23 AM
>Subject: Re: [squid-users] Re: Re: Re: Squid + Kerberos + Active Directory
>
>
>> Dear Markus,
>>
>> After trying all the possible way, i got atleast just for one time a
>> error message in cache.log
>>
>> 2009/06/07 11:31:46| AuthConfig::CreateAuthUser: Unsupported or
>> unconfigured/inactive proxy-auth scheme, 'NTLM
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
>>

So IE or Firefox don't do negotiate.

>>
>> after that i didnt got this message at all..
>>
>> My Client is Win XP with IE 6 and Firefox 3.0.10. Its working really fine
>> behind the MS ISA Server.
>>
>> But no way behind the squid???
>>

Because squid is configured for negotiate/kerberos. Can you do the following
in Firefox:

1) Type about:config in the URL bar
2) In the filter type nego
3) double click on network.negotiate-auth.trusted-uris
4) Enter .panasonic.com
5) Try again

If that does not work can you run the attached binary on yoru XP desktop as
follows:

getTGT -p HTTP/linuxproxy.panasonic.com

You should get an output like:

getTGT.exe -p HTTP/w2k3r2.win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Context Key Information:
2009/06/07 17:50:42| getTGT[5180]: Signature Algorithm: (-138)
2009/06/07 17:50:42| getTGT[5180]: Encryption Algorithm: RSADSI
RC4-HMAC(23)
2009/06/07 17:50:42| getTGT[5180]: Key Size: 128
2009/06/07 17:50:42| getTGT[5180]: Info: Context Session Key Length: 16
2009/06/07 17:50:42| getTGT[5180]: Info: Context Client Native Name:
Administrator_at_WIN2003R2.HOME
2009/06/07 17:50:42| getTGT[5180]: Info: Context Server Native Name:
HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME
2009/06/07 17:50:42| getTGT[5180]: Info: Context Start Time: 2009/06/07
17:50:42
2009/06/07 17:50:42| getTGT[5180]: Info: Context End Time: 2009/06/08
03:42:29
2009/06/07 17:50:42| getTGT[5180]: Info: Credential User Principal Name:
Administrator_at_WIN2003R2.HOME
2009/06/07 17:50:42| getTGT[5180]: Info: Credential ExpiryTime: 2009/06/08
03:42:29

and a klist tickets should give:

C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tickets

Cached Tickets: (2)

   Server: krbtgt/WIN2003R2.HOME_at_WIN2003R2.HOME
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 6/8/2009 3:42:29
      Renew Time: 6/14/2009 17:42:29

   Server: HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 6/8/2009 3:42:29
      Renew Time: 6/14/2009 17:42:29

C:\WINNT\Profiles\Administrator.WIN2003R2.000>

klist is part of the resource kit tools
(http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)

If getTGT gives an error like:
2009/06/07 17:55:10| getTGT[3640]: InitializeSecurityContext failed:
SEC_E_TARGET_UNKNOWN

it means that either the kdc does not have a principal with the name or the
client does not have a valid user ticket which can be check ed with klist
tgt:

C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: Administrator
DomainName: WIN2003R2.HOME
TargetDomainName: WIN2003R2.HOME
AltTargetDomainName: WIN2003R2.HOME
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 1:00:00
StartTime: 6/7/2009 17:42:29
EndTime: 6/8/2009 3:42:29
RenewUntil: 6/14/2009 17:42:29
TimeSkew: 1/1/1601 1:00:00

>> i captured the following types of traffic;
>>
>> a. My XP Client + IE 6 <---> ISA Server
>> b. MY XP Client + IE 6 <---> squid-3.0.STABLE13-1.el5 + CentOS 5.2
>> c. more auth packet level details of Client <-> ISA Server
>> d. more auth packet level details of Client <-> Squid
>>
>>
>> Please see the attachments;
>>
>> and hoping for a way to resolve the issue.
>>
>>
>> From all this what i understood is, client is trying to do NTLM auth, but
>> server dosent support it. Ok if this is the case, how can i tell the
>> client not to use NTLM and just use Kerberos. Second case, how can i
>> configure squid to handle the NTLM based authentication.
>>

There are NTLM helpers as part of the squid package available. Or better use
the samba ntlm_auth helper.

>>
>> guide me please...
>>

Regards
Markus
Received on Sun Jun 07 2009 - 17:09:37 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 08 2009 - 12:00:02 MDT